Working with attachment security settings

You can control how IBM Traveler clients manage file attachments and images.

All modern mobile devices have built in capabilities which allow file data to be shared between applications. File data in the form of attachments to Domino mail messages and Domino To Do documents is allowed by default to sync using IBM Traveler from the Domino mail server to the mobile device. Once this file data is available on the device, it is possible to share it with other third party applications on the device that support file data of the same type. For example, data for a presentation file could be shared with a presentation editor or viewer. Being able to use third party applications is a very powerful ability, and can greatly improve the usefulness of mobile devices and overall productivity. However, there can be security concerns for what happens with this data once it is obtained by a third party application.

IBM Traveler attachment security settings are used to control how IBM Traveler clients manage file attachments and images. When these settings are enabled, IBM Verse for Android and the Apple iOS Mail client restrict file attachments and images from being shared with third party applications unless these applications have been approved by the IBM Traveler administrator. In the case of the Apple iOS Mail client, an additional option is available which enforces that attachments can only be viewed using the IBM Traveler Companion application or the IBM Traveler To Do application.

Alternatively, Mobile Application Management (MAM) providers can provide data sharing and export controls which do not rely upon the IBM Traveler attachment security settings.

Apple iOS Mail client

IBM Traveler supports the built-in, native mail client on the Apple iOS platform. To control how attachment data is shared with other applications using the client, the IBM Traveler server removes all file attachments and images from mail messages that sync to the built in mail client once attachment security settings are enabled. Note this only applies to new messages syncing to the device after the policy is enabled.

For the Apple iOS Mail client, the strategy for attachment security settings is to use the IBM Traveler Companion or To Do applications as a secure container in which attachment data can either be viewed or passed to administrator defined approved applications. For attachment viewing, Traveler Companion and To Do use Apple Quick Look controls to enforce a view only mode for attachment file data supported by these controls. Attachment viewing is supported on Apple iOS devices for the following file formats:
  • Microsoft Office documents (Office ‘97 and newer)
  • Rich Text Format (RTF) documents
  • PDF files
  • Images
  • iWork documents
  • Text files
  • Comma-separated value (csv) files

If the viewing of additional file types is needed, or if attachment handling is required from other third party applications, the IBM Traveler administrator can define additional applications using the Approved Application interface. Note that when approved applications are defined, the Open-In menu item will be available when you long press an attachment from within the IBM Traveler Companion or To Do application. The Open-In menu displays all applications on the device that are capable of opening an attachment of this type, even if the application is not approved. If the user selects an unapproved application, they will receive an error message indicating that the administrator has prohibited the use of the selected application to read attachments.

To enable these polices, see Enabling attachment security settings.

To create the definitions for approved applications, see Defining approved applications for Apple iOS devices.

IBM Verse for Android devices

IBM Verse for Android devices requires approved applications be defined in order to view attachment data. There are no viewer controls built into the Android OS or IBM Traveler at this time. If attachment security settings are enabled, then you must define approved applications in order to access any of the attachment data on mobile devices. Approved applications are applications that have been "approved" by the administrator for attachment handling. This generally implies that the administrator has done some amount of testing with the application and is familiar enough with it to know that it will not leak attachment data outside itself. The IBM Traveler attachment security settings only enforce the attachment data contained within the IBM Traveler mail account or To Do application, and is shared with applications in the approved list. Once the attachment data is consumed by another application, IBM Traveler can no longer control what happens to it.

To enable these polices, see Enabling attachment security settings.

To create the definitions for approved applications, see Defining approved applications for Android devices.